ArchLinux: 201512-12: python2-pyamf: XML external entity injection
Summary
PyAMF suffers from insufficient AMF input payload sanitization which results in the XML parser not preventing the processing of XML external entities (XXE). A specially crafted AMF payload, containing malicious references to XML external entities, can be used to trigger denial of service (DoS) conditions or arbitrarily return the contents of files that are accessible with the running application privileges.
Resolution
Upgrade to 0.8.0-2.
# pacman -Syu "python2-pyamf>=0.8.0-2"
The problem has been fixed upstream in version 0.8.0
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8549 http://ocert.org/advisories/ocert-2015-011.html https://github.com/hydralabs/pyamf/pull/58
Workaround
None.